We have a number of IT staff whose login give them elevated privileges on our network including a couple of domain admins. I want to create a second regular user login for each of them. I could provide them with two workstations
Have two workstations per user gets cumbersome so we thought about using a VDI session for one of these roles
Is anyone using a setup like this?
So if you follow
Why Privileged Access Workstations can help secure your organization | Microsoft Docs
if I remember right privledged user can't be on the same blades as non privileged accounts, the idea being if the blade gets compromised through a security vulnerability non privleged accounts could get access to the privleged accounts through the hypervisior.
That being said we do that, I have a desktop pool that our IT team uses on an dedicated subnet and haven't ran into any issues. In general people logon to there workstations as local users and then use privleged accounts or non privledged accounts in the vdi image. We do require if they use privledged accounts on the vdi images, there is 2fa process that is needed as well.
Great Question:
This post is over a year old but I thought I would add some context around PAW/SAW devices. VDIs are not a great PAW/SAW as the idea is that the trust starts at the endpoint. This mitigates a keylogger threat as well as the ability to scope administration consoles to specific computers.
From a security prospective the below statement is an issue as a PAW/SAW Should be a physical device.
One idea that we have used to mitigate the carrying around two laptops is create a restricted PAW managed by Intune (more details can be provided if needed) is an expansion on your idea "Login the workstation with the elevated account, open a VDI session to browse web, read email, etc" We deploy a local VDI running on Hyper-V. This allows for a Tier 1 hypervisor to be used for security separation. It also allows for the PAW requirement to be met.
Considerations:
1. Enable Virtual TPM so Bitlocker can be used
2. Enable Remote Desktop with NLA and firewall rule from PAW only to allow Webcam, MIC and speakers to be passed to the Virtual Machine.
3. Consider managing the Virtual Machine just like all your other computers. We managed ours with Intune just like the PAW. We have an automated image that will auto join it to Intune on import of the Hyper V VM.
4. Image for Hyper-V is hosted in clean source cloud storage accessible only to PAW Users.